status.allowAnonymous: false setting is not respected #579
Comments
|
@oscarkraemer Thanks for reporting this! the status API is registered at https://github.com/elastic/kibana/blob/v7.9.1/src/legacy/server/status/routes/api/register_status.js#L28 , and the this is default setting inherited from the old version of security plugin https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/master/index.js#L44 . We need to learn why they set status API into default unauthenticated routes from the old plugin author. |
|
Hi @zengyan-amazon, |
IMO /api/status should deny anonymous access by default, ATM unauthenticated users can access /api/status when using security-kibana-plugin.
If I have understood status.allowAnonymous https://www.elastic.co/guide/en/kibana/current/settings.html correctly it should deny anonymous access to /api/status, /status and /api/stats by default.
OpenDistro secuirty-kibana-plugin have an undocumented variable
opendistro_security.auth.unauthenticated_routesI guess here are the critical lines:https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/dec85706fa38e00a88f9b3292f452e97b2b071e7/server/index.ts#L72
https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/dec85706fa38e00a88f9b3292f452e97b2b071e7/server/index.ts#L78
IMO the unauthenticated_routes should either not exists or the default value should be []. I don’t understand why it was changed in https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/pull/167 .
Here is an example of the information that is leaked through this path https://demo.elastic.co/api/status .
In the security scans that was ran against my installation this was categorised as a “weakness” .
The text was updated successfully, but these errors were encountered: